From 1312c5426e7dd84e396ef2ff35aa09b64d92d382 Mon Sep 17 00:00:00 2001

From: Lumir Balhar <lbalhar@redhat.com>

Date: Fri, 9 Apr 2021 19:33:55 +0200

Subject: [PATCH 3/4] CVE-2021-25293

---

 src/libImaging/SgiRleDecode.c | 88 +++++++++++++++++++++++++++++------

 1 file changed, 75 insertions(+), 13 deletions(-)

diff --git a/src/libImaging/SgiRleDecode.c b/src/libImaging/SgiRleDecode.c

index 2259159..85af456 100644

--- a/src/libImaging/SgiRleDecode.c

+++ b/src/libImaging/SgiRleDecode.c

@@ -25,13 +25,60 @@ static void read4B(UINT32* dest, UINT8* buf)

     *dest = (UINT32)((buf[0] << 24) | (buf[1] << 16) | (buf[2] << 8) | buf[3]);

 }

-static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

+/*

+   SgiRleDecoding is done in a single channel row oriented set of RLE chunks.

+

+   * The file is arranged as

+     - SGI Header

+     - Rle Offset Table

+     - Rle Length Table

+     - Scanline Data

+

+   * Each RLE atom is c->bpc bytes wide (1 or 2)

+

+   * Each RLE Chunk is [specifier atom] [ 1 or n data atoms ]

+

+   * Copy Atoms are a byte with the high bit set, and the low 7 are

+     the number of bytes to copy from the source to the

+     destination. e.g.

+

+         CBBBBBBBB or 0CHLHLHLHLHLHL   (B=byte, H/L = Hi low bytes)

+

+   * Run atoms do not have the high bit set, and the low 7 bits are

+     the number of copies of the next atom to copy to the

+     destination. e.g.:

+

+         RB -> BBBBB or RHL -> HLHLHLHLHL

+

+   The upshot of this is, there is no way to determine the required

+   length of the input buffer from reloffset and rlelength without

+   going through the data at that scan line.

+

+   Furthermore, there's no requirement that individual scan lines

+   pointed to from the rleoffset table are in any sort of order or

+   used only once, or even disjoint. There's also no requirement that

+   all of the data in the scan line area of the image file be used

+

+ */

+

+static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize, UINT8 *end_of_buffer)

 {

+    /*

+     * n here is the number of rlechunks

+     * z is the number of channels, for calculating the interleave

+     *   offset to go to RGBA style pixels

+     * xsize is the row width

+     * end_of_buffer is the address of the end of the input buffer

+     */

+

     UINT8 pixel, count;

     int x = 0;

     for (;n > 0; n--)

     {

+        if (src > end_of_buffer) {

+            return -1;

+        }

         pixel = *src++;

         if (n == 1 && pixel != 0)

             return n;

@@ -43,6 +90,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

         }

         x += count;

         if (pixel & RLE_COPY_FLAG) {

+            if (src + count > end_of_buffer) {

+                return -1;

+            }

             while(count--) {

                 *dest = *src++;

                 dest += z;

@@ -50,6 +100,9 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

         }

         else {

+            if (src > end_of_buffer) {

+                return -1;

+            }

             pixel = *src++;

             while (count--) {

                 *dest = pixel;

@@ -61,7 +114,7 @@ static int expandrow(UINT8* dest, UINT8* src, int n, int z, int xsize)

     return 0;

 }

-static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)

+static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize, UINT8 *end_of_buffer)

 {

     UINT8 pixel, count;

@@ -69,6 +122,9 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)

     for (;n > 0; n--)

     {

+        if (src + 1 > end_of_buffer) {

+            return -1;

+        }

         pixel = ((UINT8*)src)[1];

         ++src;

         if (n == 1 && pixel != 0)

@@ -81,12 +137,18 @@ static int expandrow2(UINT16* dest, UINT16* src, int n, int z, int xsize)

         }

         x += count;

         if (pixel & RLE_COPY_FLAG) {

+            if (src + 2 * count > end_of_buffer) {

+                return -1;

+            }

             while(count--) {

                 *dest = *src++;

                 dest += z;

             }

         }

         else {

+            if (src + 2 > end_of_buffer) {

+                return -1;

+            }

             while (count--) {

                 *dest = *src;

                 dest += z;

@@ -136,8 +198,10 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,

         return -1;

     }

     _imaging_seek_pyFd(state->fd, SGI_HEADER_SIZE, SEEK_SET);

-    _imaging_read_pyFd(state->fd, (char*)ptr, c->bufsize);

-

+    if (_imaging_read_pyFd(state->fd, (char *)ptr, c->bufsize) != c->bufsize) {

+        state->errcode = IMAGING_CODEC_UNKNOWN;

+        return -1;

+    }

     /* decoder initialization */

     state->count = 0;

@@ -168,8 +232,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,

     for (c->tabindex = 0, c->bufindex = c->tablen * sizeof(UINT32); c->tabindex < c->tablen; c->tabindex++, c->bufindex+=4)

         read4B(&c->lengthtab[c->tabindex], &ptr[c->bufindex]);

-    state->count += c->tablen * sizeof(UINT32) * 2;

-

     /* read compressed rows */

     for (c->rowno = 0; c->rowno < im->ysize; c->rowno++, state->y += state->ystep)

     {

@@ -177,19 +239,21 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,

         {

             c->rleoffset = c->starttab[c->rowno + c->channo * im->ysize];

             c->rlelength = c->lengthtab[c->rowno + c->channo * im->ysize];

-            c->rleoffset -= SGI_HEADER_SIZE;

-            if (c->rleoffset + c->rlelength > c->bufsize) {

+            // Check for underflow of rleoffset-SGI_HEADER_SIZE

+            if (c->rleoffset < SGI_HEADER_SIZE) {

                 state->errcode = IMAGING_CODEC_OVERRUN;

                 goto sgi_finish_decode;

             }

+            c->rleoffset -= SGI_HEADER_SIZE;

+

             /* row decompression */

             if (c->bpc ==1) {

-                status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);

+                status = expandrow(&state->buffer[c->channo], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);

             }

             else {

-                status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize);

+                status = expandrow2(&state->buffer[c->channo * 2], &ptr[c->rleoffset], c->rlelength, im->bands, im->xsize, &ptr[c->bufsize-1]);

             }

             if (status == -1) {

                 state->errcode = IMAGING_CODEC_OVERRUN;

@@ -198,7 +262,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,

                 goto sgi_finish_decode;

             }

-            state->count += c->rlelength;

         }

         /* store decompressed data in image */

@@ -206,7 +269,6 @@ ImagingSgiRleDecode(Imaging im, ImagingCodecState state,

     }

-    c->bufsize++;

 sgi_finish_decode: ;

@@ -217,5 +279,5 @@ sgi_finish_decode: ;

         state->errcode=err;

         return -1;

     }

-    return state->count - c->bufsize;

+    return 0;

 }

-- 

2.30.2